so i have had an idea recently, so in my experience wifi security is one of the easiest ways into a network just ask Albert Gonzalez and TJ Max so if a nation state or another APT has the resources to get operatives into the target's city wouldn't their Wifi network be a easy way in. i mean all they would have to do is if they have WEP crack it WPA/WPA2 personal crack it or if they have PEAP do what i call a kick-and-call: figure out which client on the network has which phone number deuath them or deauth the network wholesale repeatability and then call them up and ask if they are having network trouble and get them to connect to a honey pot, crack the MS-CHAPv2 hash and you are in, i digress but wifi security in many ways is the poor relations of computer security so what is there to stop APTs from exploiting it? in my opinion this is something governments and other high risk targets need to take into consideration: beef up your wifi security and get a WIDS!!!

Last edited by jinwald12 on Wed Mar 07, 2012 1:57 am, edited 1 time in total.

There's also EAP-TLS and EAP-TTLS for more robust infrastructures. The most sensitive organizations probably just forgo wireless altogether.

You should also regularly scan for things like employees bringing in their own APs (i.e. so they can get their tablet online at work), or connecting WNICs to their systems (to circumvent web filtering by connecting to an open AP).

Part of what makes the advanced targeted attacks so "advanced" is their ability to be stealthy. The attacker will need to do a bit of recon around the target site. This means they physically need to have someone scope it. Granted they could pay someone to do it for them and then provide them with whatever they need dropped in once the WLAN has been breached. But the risk of getting caught is much greater. Many of these attackers can hide behind the home country and are almost untouchable. The moment they set foot on US soil, they are now unprotected can be caught and detained. Why risk it when you can send a phishing email to an unsuspecting user and quickly load the droppers for your backdoors?

If a proper NAC is in place, then a physical breach will hopefully be pointless, or at least pose to great a risk to bother. The more systems they have to circumvent, the more noise they will make and the faster the SOC will catch on.

Now if you were to target say a customer or sub-contractor of the company and compromise their network through weak Wi-Fi, then you may have a better chance. Dependent on the sensitivity of the data these companies have, you still may fall prey to the parent company's security measures.

about EAP-TTLS and EP-TLS yes they are more secure but PEAP is much more common becuase it uses already available credentials and infrastructure most companies already have RADIUS servers and not as many AP vendors sell devices that support or are optimized for TLS or TTLS so PEAP is the de facto standard for WPA enterprise and the most common implementation of 802.11X and about the recon aspects if you read the wikipedia article on APTs it reads

Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack

and i bet the FSB, PLA or Iranian Revolutionary Guard could easily and have gotten people into the U.S. or Europe to do B&E so this is just taking it a step forward (or in some cases a step back) and a lot of that recon can be done with OSINT sources, a lot not all. and NACing or DMZing is not a 100% fix all they have to do is pop a computer connected to the wifi but also has a Ethernet connection to pivot and if they use PEAP (which most of the companies where i live do) they already have a set of credentials for the other machine on the network not just the wifi, remember most PEAP implementations use the same RADIUS servers as windows login and even if they don't there is password re-use and derivable attacks. also most APTs have access to HUMINT resources so paying a janitor to re-arrange a few cables to create a bridge into the internal network would not be to hard albeit risky and i don't think they would trust a janitor perhaps a crooked IT person, that is another thing APTs could recruit insiders to do the B&E work as 3xban mentioned and for the being stealthy part some one sitting in a van down the street is pretty common place where i live and most cities. also most IDS and IPS excluding WIDS/WIPS solutions focus on connections inbound from external sources and in some government and intelligence agencies i would imagine they could not sniff or log traffic for sensitive departments or projects making a physical access or wireless attack even more stealthy. one of the main problems i have with the infosec and physical security departments in most organizations is they don't work together when they should what good is a strong network based camera and door swipe card system if its control computer can be found via shodan (http://www.shodanhq.com/search?q=GoAhea ... revalidate) and uses ancient software? whats the point of having a multi thousand dollar IDS/IPS solution if its host box's power source can be cut from outside the building? we need to start working with the physical security people more then we do right now, the navy and the army have the marines for a reason.

3xban wrote:If a proper NAC is in place, then a physical breach will hopefully be pointless, or at least pose to great a risk to bother. The more systems they have to circumvent, the more noise they will make and the faster the SOC will catch on.

You're actually a bit wrong on the noise side of the equation. In a situation where I am coming through the front door, I purposefully make more noise. I do in order to become a needle in a haystack using as many decoys as I can. Most of the times, I will launch decoys WELL before I even touch a system (hours, maybe even days). I do so to make the analyst think a) he is under uber attack - where all his attention is fixated on the "China APT Syndrome" b) to make him think his IPS/IDS is acting up - often which they'll end up ignoring alerts.

3xban wrote:Now if you were to target say a customer or sub-contractor of the company and compromise their network through weak Wi-Fi, then you may have a better chance. Dependent on the sensitivity of the data these companies have, you still may fall prey to the parent company's security measures.

Taking things head on (pentesting) is a weak game. Your chances of success are as much as they are winning the Powerball nowadays and this is the reality of it. Once upon a time, network engineers slash admins would slap static addresses on everything under the sun. During these times (late 80s through nineties, early 2000), it was easier to find a host on a subnet that MAYBE just MAYBE had vulnerable services running. With the depletion of IP space, networkers pulled these addresses back and migrated to NAT.

You have those companies who are "running in the cloud" with their servers and often times, they are doing so via big business (Akamai, etc.) which means those webservers are not even in a DMZ anymore. Hence recon on a subnet which is noisy. When targeting, I rarely bother via these routes when performing testing because it is not realistic and in tune with the threats. The threats are going to be aimed 90% at the client side versus trying to break down the door.

For those who are trying to bang the door down, I can assure you that I will let you see what you want to see a mile away while I still sneak in your door. So don't ever believe for a second that noise is good and will yield "defensible" information you could use. I use noise for deflection.

sil, to be honest that has little to do with the OP other then the fact that it makes more sense to go physical if there are NATs making external attacks more dificult and with the lack of static IPs some networks use a client system's hostname as a sub domain i don't know why but it does happen so you can find targets that way and static IPed systems such as DNS servers or FTP servers are often vulnerable targets.

jinwald12 wrote:sil, to be honest that has little to do with the OP other then the fact that it makes more sense to go physical if there are NATs making external attacks more dificult and with the lack of static IPs some networks use a client system's hostname as a sub domain i don't know why but it does happen so you can find targets that way and static IPed systems such as DNS servers or FTP servers are often vulnerable targets.

Didn't see this response before so I'll answer now... While you would *think* that it would make sense to go after wireless networks, the reality of it is, you'd waste a lot of time and money.

In a "cyberwarfare" scenario (remember this forum is based on that theory, nation state based cyberwarfare), there is a high cost associated with the following:

Logistics:Placing individuals in a confined area (what are you strategically targeting... You will not get anywhere near a mil base)Placing COMPETENT and CAPABLE individuals in these areas - trying to find someone who is fluent in WiSec and ALSO fluent in the language of their location is astronomicalFeasibility - What are the odds of a wireless network existing where you need it to be, are you wasting time, money, or other resources.

Politics:Politics is a huge factor in cyberwarfare. Most govs don't want to admit being aggressors, let alone getting caught with their pants down. So funding would be trickyPolitics - most in the cyberwarfare arena STILL follow certain rules of engagement. I can't speak much about this, but if you ask around to people in the know, they'd laugh about it as it would be career suicide in the mil/govspace

Realities:Webservers, ftp servers, etc., have been outsourced six ways from Sunday with the depletion of IPv4 space. It is RARE you can scan CIDR blocks and find openly vulnerable services on "networks that count" (your targets) which translates into waste of time money and resources.Client side is where its at. For all the money you can throw around at any security exploitation (outside pentesting, webscanning, etc) you'd have a better chance of getting in via the client side vector versus trying to knock down the front door.

(Cyberwar.news) As the modern world increasingly becomes “wired,” more critical systems and infrastructure are being linked via the Internet. And while that has given rise to incredible new technologies that boost efficiency and capability, it has also meant that countries are more vulnerable to hacking and cyber attack.

Most nations do their best to defend their critical networks against hackers, DDoS (denial of service) attacks and outright cyber assaults. But not all systems are well-protected; some, in fact, are incredibly vulnerable.